Analyze scan results

After a scan completes, you can view information on vulnerabilities, the name of the project creator, and the name of the person who ran each scan.

1. Select Scans in the header.

   The Scans page shows a list of scan projects..

2. Select a scan project.

3. On the Overview tab, view a summary of the scan results as well as a list of scans in the project.

   

   The summary section shows these details:

   • Score: A letter grade that represents the potential security risk for application based on the most recent scan in the project.

   • Vulnerabilities: The number of vulnerabilities discovered in the most recent scan.To see details about discovered vulnerabilities, select the number.

   • New Vulnerabilities: The number of new vulnerabilities discovered in the most recent scan. This value excludes vulnerabilities that previous scans discovered and are not fixed.

     For example:

     If Scan 1 discovered three vulnerabilities:

     • The number of vulnerabilities is three.

     • The number of new vulnerabilities is also three.

     If code modifications introduce a new vulnerability but do not fix existing vulnerabilities, when you run Scan 2:

     • The vulnerabilities number changes to four (all discovered vulnerabilities).

     • The new vulnerabilities number becomes one (the new one discovered in Scan 2).

     To see details about new vulnerabilities, select the number.

   • Remediated: The number of vulnerabilities that are fixed by changing source code or configuration files within the application.

     To see details about remediated vulnerabilities, select the number.

   • Scans completed: The number of scans completed in the project.

     To see details about completed scans, select the number.

   • Days since last scan: The number of days since the last scan completed.

   The Scan history shows these details:

   • Vulnerabilities: A bar that shows the different types of detected vulnerabilities for a scan.

     To view a filtered list of a specific type of vulnerability, select a section of the bar.

   • Label: The label associated with the scan.

     To view additional scan details, select the label.

   • Scan date The date the scan completed.

   • Name: The name of the person who ran the scan.

   • Language: The languages detected in the scanned code.

   • Coverage: A link to additional scan details.

   To export the results to a SARIF file, select the Download icon ( ) at the end of a scan's row.

4. To view more information about a specific vulnerability, select the Vulnerabilities tab and select the vulnerability.

   

   • The Overview tab for the selected vulnerability shows a description of the vulnerability, including what happened in your code and the risk associated with the vulnerability.

   1. To view the details about the vulnerability and its location in your code, select the Details tab:

      • The method where a vulnerability exists.

      • The file where the scan discovered the vulnerability.

      • The first line in the code where the scan discovered the vulnerability.

   2. To view suggestions for fixing the code, select the How to fix tab.

   3. To view suggestions for fixing the code from Secure Code Warrior, select the SCW How to fix tab.

      This tab includes suggestions from Secure Code Warrior as well as videos, links to additional information, and guidelines. If no relevant Secure Code Warrior information is available, this tab is not displayed.

   4. To view additional details about the vulnerability, select the Notes tab for these details:

      • When the vulnerability is detected

      • The code module where Contrast found the vulnerability

      • The type of vulnerability (for example, injection)

      • Severity

      • Risk confidence

      • Security standards that apply to the vulnerability

   5. To view vulnerability activity, select the Activity tab for these details:

      • The user who made changes

      • Vulnerability status changes

      • Comments